At a glance.

  • Supercookies.
  • Chinese surveillance data used as crystal ball.
  • California concealed weapons permit holder data exposed.

It’s a bird, it’s a plane…it’s a supercookie.

Wired details a new web tracker called TrustPid which allows mobile carriers to use a user’s IP address to create pseudo-anonymous tokens, one for each participating website they visit, that can then be used to provide personalized product recommendations. Since April, customers of German phone companies including Vodafone and Deutsche Telekom have been part of TrustPid trial. TrustPid says their process is “secure and privacy-friendly,” but critics, who have labeled the ad trackers “supercookies,” are concerned about the way in which TrustPid allows network operators to essentially hijack basic communications data to turn it into a targeted advertising platform. 

Simon Poulter, senior manager of corporate communications at Vodafone, disagrees with the supercookie label, stating that the technology complies with the General Data Protection Regulation and is “based on digital tokens which do not include any personally identifiable information” and have a limited lifespan of just ninety days. William Harmer, product lead at Vodafone, adds that unlike a supercookie, TrustPid doesn’t use data interception to create customer profiles, reducing the possibility of user data being triangulated across websites. A spokesperson for the German Federal Commissioner for Data Protection and Freedom of Information says the organization has been informed of the trial, but has not yet made a final decision about TrustPid’s data processing. 

Chinese surveillance data used as crystal ball.

Intense government surveillance of Chinese citizens’ activities is nothing new, but the New York Times reveals how Chinese authorities are now using that trove of collected data to essentially predict the future. Armed with technology allegedly capable of detecting patterns in citizen behavior in order to foresee crimes before they happen, Chinese police are using the data to target potential lawbreakers even if they have no criminal past. The tech can warn authorities if vulnerable groups like ethnic minorities or those with mental illness engage in “risky” behaviors, leaving citizens constantly in fear of setting off a possible red flag. What’s worse, the surveillance tech is partly based on data-driven policing software from the US and EU that privacy advocates say are inherently engrained with racism and socio-economic discrimination. Maya Wang, a senior China researcher with Human Rights Watch, stated, “This is an invisible cage of technology imposed on society, and the disproportionate brunt of it being felt by groups of people that are already severely discriminated against in Chinese society.” 

California concealed weapons permit holder data exposed.

The California State Sheriff’s Association has disclosed that a data breach at the state Department of Justice exposed the names, addresses, and license types of every Concealed Carry Weapons (CCW) permit holder in the state. KTLA reports that the breach impacted data contained in the state’s 2022 Firearms Dashboard Portal, a platform intended to increase the “transparency and information sharing for firearms-related data.” The state has disabled access to the website hosting the data, but it’s unclear how long the information was publicly accessible on the Department of Justice’s website or whether it might have been accessed before the leak was detected. 

We received industry comment on the incident. Nick Tausek, Security Automation Architect at Swimlane, sees the likelihood of negligence:

“Given that this breach involving the Department of Justice was the result of a data exposure on their recently launched site, and the breach informant was the California State Sheriff’s Association rather that a security researcher or a security operation center, it appears that this incident was the result of negligence, rather than an attack. Although details are still sparse, it seems likely that this leak that exposed names, addresses and license types of all concealed carry permit holders in California may have been a result of improper authentication controls around accessing dashboards that house and permit access to this type of information.

“To lessen the chances of situations like this repeating themselves in the future, organizations– especially those as impactful as the Department of Justice– must prioritize the implementation of proper security controls. Robust password protection, multifactor authentication and regularly changing passwords can help organizations mitigate the risk of data leaks. Furthermore, leveraging low-code security automation allows companies to take a step further in their cybersecurity best practices by centralizing detection, investigation and response capabilities. With all-encompassing security platforms that automate tedious routines, the chance of human error is brought down to a minimum and device integrity remains at its maximum.”

Tyler Glotz, Manager, Governance Risk & Compliance at LogRhythm, sees another reason to regard protection of information as challenging:

“This breach of personal identifiable information (PII) reflects the challenging nature of protecting information within state and local government agencies. Limited infosec budgets raise the risk of non-public data accidentally being released or intentionally breached by bad actors. We still don’t have word if this was a mistake or a hack, but the Fresno County Sheriff’s office is suggesting persons affected should file an online police report.

“This event also raises questions of inside actors or hacktivists reacting to national changes in concealed carry law that came from NYSRPA v Bruen just days before. The list was circulated on several social media sites immediately after being made public. Release of sensitive data furthers the risk to real physical safety that results from a breach like this.

“State and local government entities should make sure to implement strong access controls, change management, and robust data classification procedures and processes to avoid accidentally disseminating personal information like this, or prevent them from being breached. This incident stresses the importance of application and product security testing to ensure things like this don’t happen before something is pushed into production. When rolling out a new platform, it is best practice to perform a Data Privacy Impact Assessment to determine what privacy risks exist and how they can be mitigated.”

Stephan Chenette, Co-Founder and CTO, AttackIQ, wrote to note the ways in which state and local governments are attractive targets for cybercriminals:

“State and local government organizations are an attractive target for cybercriminals because of the wealth of sensitive information they hold and the often limited cybersecurity resources they possess. In the case of the California Department of Justice, the personally identifiable information, which includes the names, addresses, Criminal Identification Index number and license types of all concealed carry permit holders in California were hacked. Now, this data can be bought and sold for top dollar on the dark web, further exposing victims to future fraud or phishing attacks. 

“It is critical for all organizations that manage sensitive information to adopt a threat-informed cyber-defense strategy. This approach should be tailored to focus on the adversaries most likely to impact their operations to maximize their ability to protect sensitive information. This should include mapping organizational capabilities and security controls to specific attack scenarios to measure their preparedness to detect, prevent and respond to these threats. They should also employ continuous evaluation of their existing security controls to uncover gaps before a hacker finds and exploits any weaknesses.

“To best defend against data breaches, it is also important to understand the common tactics, techniques, and procedures used by the adversary. Using the MITRE ATT&CK framework, government organizations can test their cyberdefenses against known threats and ensure that their defenses function as they should. This gives organizations a ready-made, adaptive means to plan for threats.”

Tim Marley, VP Audit, Risk & Compliance, Field CISO at Cerberus Sentinel, suggests that investigators look at app development:

“While we don’t know what happened in this instance, one area for consideration would be regarding application development. Particularly web-facing development should always be done with an effort to design security into the process. If we “build in” security from the beginning and adequately test our systems prior to launching any new code or modifying existing code, the likelihood of compromise is significantly lessened. Often, we see organizations rushing solutions out the door with an agile mindset that focuses on making it work over making it work securely. The Open Web Application Security Project (OWASP) has existed for years with the prevention of this sort of incident as part of their core mission. We only need to adopt a Software Development Life Cycle (SDLC) that incorporates these sorts of principles.

“The failure to keep our stakeholder’s sensitive data confidential is coming with greater consequences for organizations in the United States. Five states currently have privacy laws and another six have legislation at some stage of review. At the end of the day, we shouldn’t need legislation to force us to examine the sensitive data in our possession and verify that we protect it at every stage of the data lifecycle. We are the custodians of this data and owe it to our customers, clients, partners, and residents to verify that we always manage this information securely. If we fail to do so, we stand to lose their trust and may incur significant financial and operational penalties as a result.”